upnpclient.exe

This has been a very helpful thread and I would never have been able to eliminate this $%^&* from my system without all the excellent advice here. Most of the discussion has focused on upnpclient.exe, acrobat.dll, and msdebach.exe. Don't forget the other pieces though.

In Windows\System32 are the following:

ps.exe
ps.bat
ps

These should also be deleted. If you are wondering what information about you is being compromised open ps with notepad. It is a plain text file. Mine had a list of passwords and even a credit card number entered on a web site.

The passwords are in the form of:

typeGUID = 220d5cd0
subtypeGUID = 220d5cd1
itemName = 01c4726b609b9976
itemData = ******

where ****** is the plain text password.

Does anybody know what the GUID identifiers are?

 

Interesting that you trace this back to Sun. After installing my WinXP straight from the pretty gold holographic disc, I went to Sun's website to get Java. I noticed that certain websites would load extremely slowly -- taking enormous amounts of CPU and hanging my whole system until it finally finished whatever it was doing.

Last month, my virus definitions for Norton expired. I had the 2004 edition. It didn't catch this acrobat.dll either. It wasn't until I got the 2005 Norton AntiVirus that I was even aware of this problem -- as it kept griping about it as a trojan every few seconds.

I booted into safe mode command prompt immediately and deleted the acrobat.dll file. That did nothing -- it aparantly has a master file elsewhere on the computer. So I went into regedit out the lines that spawn the creature, then rebooted and deleted the acrobat.dll in safe mode. That seems to have worked -- Norton isn't complaining anymore, at least.

What bothers me is that this creature is alive (albeit dormant) somewhere on my computer still -- it's just been bypassed. I would really like to know where the damn original infested file is. One of the antivirus sites (sophos, I believe) mentioned something about "c:\System Volume Information", but I don't know how to get inside of that folder to look. It is listed as a folder, but it is shaded out and I can't open it.

 

Hi Shanej, and welcome to Wilders.

There are different ways to access the System Volume Information folder (SVI) depending on what version of XP you have. This page at The Elder Geeks describes the different access steps....read down the page until you come to the one for your XP version:

Accessing the System Volume Information Folder.

Once you have access to the SVI folder, read through Page 4 of this thread again for the different files mentioned and how to delete them if present.

Hope the above helps,

Regards,

snap

 

I deleted the stuff in system volume information at different way - booted with my windowsXP install disk to a repair console - entered into dos then typed:
cd "c:\system volume information"
then deleted the offending files.
Haven't bought NAV 2005 (my 2004 is still good for a few more months)

 

As a Followup acrobat.dll seems to come back but on an irregular basis - the ps, and ps.xxx files don't seem to come back nor does the upnpclient in my system volume information folder or in the task list. I feel like there are more pieces of it out there that we're missing though

 

I would suggest that you download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

Let us know how you go...

Cheers

 

Any more infor to report. I just found the msdebach,exe on my machine. Kaspersky is flagging it as a trojan. Can not delete because it is locked. The upnpclient is running and have diabled the service. I don't know what app I installed.

 

Nevermind- I see the rest of the posts. Great info. Should have this thing eliminated soon.

 

Ok - gone. The easiest way to remove is use Service Manager and delete the upnpclient service, then reboot.
delete acrobat.dll from system32 and then the ps files, then msdebach

You can get the service manager i used here... http://www.l5sg.com/
Its free btw.

thanks, mcrowley

I had a look at the ps file, its a text file. All it recorded was some crap I entered in a phishing site I was screwing around with. It didn't get anything legit, but who knows what whould happen down the road. Anyway, great info from all.
Thank you

 

Thanks laray111 for sharing your result and the method you used, greatly appreciated.

Cheers

 

Service Manager will help get rid of Universal Plug & Play Device Client, but don't forget the new version of HijackThis (version 1.99) also looks out for non-MS Services and therefore can be used to fix it as well.

 

Re: upnpclient.exe. My own fault I am afraid!!!

Thanks for all the advice I found in this forum. I succeeded in removing upnpclient.exe msdebach.exe acrobat.dll etc following your advice and links on the different pages.

I was also able to trace to the file that caused all the trouble in the first place
I downloaded:
winamp_5.06_pro.exe 4.673.536 bytes from ?
and from a newsgroup or a warez site, i cannot remember

keygen.exe 25.849 bytes
and n-gen.nfo

The exact time 12-12-2004, 10.53 pm I installed the program or used the keygen, this is the timestamp from the upnpclient.exe file in the SVI folder and the msdebach and the other files.

I you want to find out which files caused your troubles, find the date/timestamp from upnpclient or msdebach and do a search for this exact date on your HD's. Sort on time/date and voila you will find what caused your troubles.

Hope this helps

R.

 

For what ever reason that you DL'd those files it serves as a warning to others that it could be much more costly than paying for the proper software.
I will not moralise about this as I do not know the circumstances that lead you to do it.

Cheers, Pilli

 

Hello all; just came across this little annoyance myself tonight, and was able to remove using variations on the themes already mentioned in this thread. So, I thought I would offer up my own experience in hopes that it helps someone else as these posts have already helped others, myself included....
Once I found I was infected the first thing I did was to boot into safe mode. Once there I ensured that the process was not running(of course it wasn't), then I went into services control panel and disabled the service. Next I went into SIV and deleted upnpclient.exe. Then I went into the windows folder and deleted the PS files(there were 3). As for acrobat.dll and msdebach, Norton 2004 was able to quarantime them before I rebooted, and thus they remained in quarantine in safe mode; thus I used the norton "reports" window to delete those 2 files. Once all this was done I went into the registry and did some digging around. There were at least a dozen references to the various files, particularly, of UPNPCLIENT and UPNPHOST. So basically, anything that said upnpclient or upnphost I deleted, as well as any and all references to the other infected files. (I did export all the registry keys I deleted first though just in case). At any rate, once all this had been done, I rebooted back into normal mode and everything is fine. No suspicious activity of any kind and both services no longer appear in the services control panel. And of course norton stopped complaining(finally) about the damn trojans it could recognize but could not fix because it's.....well, asstastic(sorry, couldn't resist).
I wish I could give more detail than I have but alas I was too busy cursing and beating my mouse over my monitor. So I guess that covers it; very big thanks to all who have contributed to this thread, and I hope what little bit I've contributed can be of use to someone.

 

Whoops! UpnP Host is a legitimate Service, you didn't need to delete references to that in the Registry - just UpnP Client, which is the bad Service. Having said that, no harm will come if you don't use it; and since it is potentially unsafe you probably did yourself a favour getting rid of it!

Do be careful not to delete anything relating to the Plug and Play Service, which is a vital Service not related to UpnP at all (despite the similarity in name).

 

If anyone still wants it, the darn thing is still alive and well on my computer. Sorry I didn't see this before, I have been using PG to block it for some time. Today I got frustrated at something called ps.exe (along with ps and ps.bat) that keep showing up in my \system32\ subdirectory no matter how much I delete them, and a search on that bugger in the forum lead me to this thread. btw, I previously today emailed the folks at PG about ps.exe...

 

i have had exactly thre same problem ...i have tried everything to deleteit ... there isanother file doing the same as well as a hidden camera file which takes pics of everything i do on my pc ...... i have managed to delete the camera file but i still havea file called acrobat.dll and also the upnp client that i cannot get rid of ...... any help would be greatly appreciated ... please help as this must be quite a rapidly infectious virus cos it seems quite a few people have had the same problem as me .

>>> E-MAIL ADDRESS REMOVED<<<<is my email